网络与信息安全学报 ›› 2018, Vol. 4 ›› Issue (6): 11-22.doi: 10.11959/j.issn.2096-109x.2018053

• 论文 • 上一篇    下一篇

基于贝叶斯攻击图的网络攻击面风险评估方法

周余阳1,2,3,程光1,2,3,郭春生1,2,3   

  1. 1 东南大学网络空间安全学院,江苏 南京 211189
    2 东南大学计算机科学与工程学院,江苏 南京 211189
    3 教育部计算机网络和信息集成重点实验室(东南大学),江苏 南京 211189
  • 修回日期:2018-06-02 出版日期:2018-06-15 发布日期:2018-08-08
  • 作者简介:周余阳(1994-),男,江苏泰州人,东南大学博士生,主要研究方向为网络安全、移动目标防御。|程光(1973-),男,安徽黄山人,博士,东南大学教授、博士生导师,主要研究方向为网络测量、网络安全和网络管理。|郭春生(1994-),男,河南南阳人,东南大学硕士生,主要研究方向为网络安全。
  • 基金资助:
    国家自然科学基金资助项目(61602114);国家重点研发计划基金资助项目(2017YFB0801703)

Risk assessment method for network attack surface based on Bayesian attack graph

Yuyang ZHOU1,2,3,Guang CHENG1,2,3,Chunsheng GUO1,2,3   

  1. 1 School of Cyber Science and Technology,Southeast University,Nanjing 211189,China
    2 School of Computer Science and Engineering,Southeast University,Nanjing 211189,China
    3 Key Laboratory of Computer Network and Information Integration of Ministry of Education (Southeast University),Nanjing 211189,China
  • Revised:2018-06-02 Online:2018-06-15 Published:2018-08-08
  • Supported by:
    The National Natural Science Foundation of China(61602114);The National Key R&D Plan Program of China(2017YFB0801703)

摘要:

针对移动目标防御中网络攻击面缺少客观风险评估的不足,为了有效地实现网络系统的安全风险评估,实现对潜在的攻击路径进行推算,提出一种基于贝叶斯攻击图的网络攻击面风险评估方法。通过对网络系统中资源、脆弱性漏洞及其依赖关系建立贝叶斯攻击图,考量节点之间的依赖关系、资源利用之间的相关性以及攻击行为对攻击路径的影响,推断攻击者到达各个状态的概率以及最大概率的攻击路径。实验结果表明了所提网络攻击面风险评估方法的可行性和有效性,能够为攻击面动态防御措施的选择提供很好的支撑。

关键词: 移动目标防御, 安全风险评估, 贝叶斯攻击图, 攻击面, 攻击路径

Abstract:

Aiming at the lack of objective risk assessment for the network attack surface on moving target defense,in order to realize the security risk assessment for the network system,and calculate the potential attack paths,a risk assessment method for network attack surface based on Bayesian attack graph was proposed.The network system resources,vulnerability and dependencies between them were used to establish Bayesian attack graph.Considering dependencies between nodes,the correlation between the resource and the influence of attacks on the attack path,the probability of each state that attackers can reach and the maximum probability attack path can be inferred.The experimental results prove the feasibility and effectiveness of the proposed network attack surface risk assessment method,which can provide a good support for the selection of dynamic defensive measures of attack surface.

Key words: moving target defense, security risk assessment, Bayesian attack graph, attack surface, attack path

中图分类号: 

No Suggested Reading articles found!